LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 03-28-2014, 11:56 AM   #1
Rhodderz
LQ Newbie
 
Registered: Nov 2013
Location: Plymouth, UK
Distribution: Debian
Posts: 15

Rep: Reputation: Disabled
Access Denied When Connecting to Samba; Secruity = ADS


So after having fun getting Samba-debian to join a Windows 2012R2 domain i have almost all functionality. One problem im now having is if i try to connect to my nas via:

Address Used Response
\\192.168.0.253 The Username or Password is incorrect
\\RMMD-NAS-1 Access Denied

OR by doing
smbclient -L /RMMD-NAS-1 -k
i get
ads_krb5_mk_req: smb_krb5_get_credentials failed for cifs/RMMD-NAS-1@RMMD.INT (Matching credential not found)
cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Matching credential not found
session setup failed: NT_STATUS_UNSUCCESSFUL

smb.conf
Code:
[global]
        server string = Rhodderz NAS
        workgroup = RMMD
        netbios name = RMMD-NAS-1
        realm = RMMD.INT
        syslog = 3
        dns proxy = no
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        security = ADS
        password server = RMMD-SVR-1.RMMD.INT
        encrypt passwords = yes
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind separator = +
        ;winbind normalize names = yes
        winbind refresh tickets = yes
        idmap uid = 50-9999999999
        idmap gid = 50-9999999999
        template shell = /bin/bash
        ntlm auth = yes
        client ntlmv2 auth = yes
        client lanman auth = no
        log file = /var/log/samba/%m.log

;[homes]
;       browseable = no
;       comment = Home Directories
;       writable = yes
;       create mode = 0700
;       directory mode = 0700

[share]
        ;available = yes
        comment = Main Root of Share
        path = /disk/share
        create mask = 777
        nt acl support = yes
        inherit permissions = no
        force group = "RMMD.INT+domain users"
        directory mask = 755
        writable = yes
        valid users = %S
and testparm -s gives
Code:
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: The "idmap uid" option is deprecated
WARNING: The "idmap gid" option is deprecated
Processing section "[share]"
Loaded services file OK.
WARNING: The setting 'security=ads' should NOT be combined with the 'password server' parameter.
(by default Samba will discover the correct DC to contact automatically).
'winbind separator = +' might cause problems with group membership.
Server role: ROLE_DOMAIN_MEMBER
[global]
        workgroup = RMMD
        realm = RMMD.INT
        server string = Rhodderz NAS
        security = ADS
        password server = RMMD-SVR-1.RMMD.INT
        syslog = 3
        log file = /var/log/samba/%m.log
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        dns proxy = No
        template shell = /bin/bash
        winbind separator = +
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        winbind refresh tickets = Yes
        idmap config * : range = 50-9999999999
        idmap config * : backend = tdb

[share]
        comment = Main Root of Share
        path = /disk/share
        valid users = %S
        force group = "RMMD.INT+domain users"
        read only = No
        create mask = 0777
and nsswitch.conf
Code:
passwd:         compat winbind
group:          compat winbind
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       compat ldap
Any help is appreciated, cheers
 
Old 03-28-2014, 12:34 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,945

Rep: Reputation: Disabled
Besides the issues pointed out by testparm, there's nothing obviously wrong with your smb.conf. Well, mapping UIDs and GIDs as low as 50 is bound to cause conflicts with existing Linux users and groups, but that's (probably) not what's causing the authentication errors.

(You should drop the "password server" option though, and consider a different winbind separator.)

Can you successfully obtain a Kerberos ticket with kinit AD_user@RMMD.INT? You will be prompted for a password, and a successful authentication attempt will result in no output. klist should then show a ticket.

Does wbinfo -u and wbinfo -g show users and groups from Active Directory?

Does getent passwd and getent group list both local users/groups and users/groups from Active Directory?
 
Old 03-28-2014, 12:38 PM   #3
Rhodderz
LQ Newbie
 
Registered: Nov 2013
Location: Plymouth, UK
Distribution: Debian
Posts: 15

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Ser Olmy View Post
Besides the issues pointed out by testparm, there's nothing obviously wrong with your smb.conf. Well, mapping UIDs and GIDs as low as 50 is bound to cause conflicts with existing Linux users and groups, but that's (probably) not what's causing the authentication errors.

(You should drop the "password server" option though, and consider a different winbind separator.)

Can you successfully obtain a Kerberos ticket with kinit AD_user@RMMD.INT? You will be prompted for a password, and a successful authentication attempt will result in no output. klist should then show a ticket.

Does wbinfo -u and wbinfo -g show users and groups from Active Directory?

Does getent passwd and getent group list both local users/groups and users/groups from Active Directory?
i can get a ticket via kinit for both administrator and my main account.
Both wbinfo -u and -g give appropriate repsonses
wbinfo -u
Code:
RMMD-NAS-1+root
administrator
guest
krbtgt
rhodderz
assassinsadmin
musicplayer
linuxadmin
(Assassins admin is for a society at the uni i am at)

wbinfo -g
Code:
domain computers
domain controllers
schema admins
enterprise admins
cert publishers
domain admins
domain users
domain guests
group policy creator owners
ras and ias servers
allowed rodc password replication group
denied rodc password replication group
read-only domain controllers
enterprise read-only domain controllers
cloneable domain controllers
protected users
dnsadmins
dnsupdateproxy
helplibraryupdaters
sqlserver2005sqlbrowseruser$rmmd-svr-1
assassins administration group
linux sudoers
nasmembers
and i know about the small errors that where shown in teatparm and the low ID's, was playing around as i ran out of ideas.
 
Old 03-28-2014, 12:40 PM   #4
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,945

Rep: Reputation: Disabled
And how about getent, which uses the winbind NSS library?
 
Old 03-28-2014, 12:43 PM   #5
Rhodderz
LQ Newbie
 
Registered: Nov 2013
Location: Plymouth, UK
Distribution: Debian
Posts: 15

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Ser Olmy View Post
And how about getent, which uses the winbind NSS library?
Sorry forgot that bit.
I get this back when i issue those
Code:
root@RMMD-NAS-1:~# getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
Debian-exim:x:101:103::/var/spool/exim4:/bin/false
statd:x:102:65534::/var/lib/nfs:/bin/false
sshd:x:103:65534::/var/run/sshd:/usr/sbin/nologin
rhoddderz:x:1000:1000:Rhodri Mark Metcalfe-Davies,,,:/home/rhoddderz:/bin/bash
messagebus:x:104:106::/var/run/dbus:/bin/false
openldap:x:105:109:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
znc:x:1001:1001::/home/znc:/bin/sh
root@RMMD-NAS-1:~# getent group
root:x:0:
daemon:x:1:
bin:x:2:
sys:x:3:
adm:x:4:
tty:x:5:
disk:x:6:
lp:x:7:
mail:x:8:
news:x:9:
uucp:x:10:
man:x:12:
proxy:x:13:
kmem:x:15:
dialout:x:20:
fax:x:21:
voice:x:22:
cdrom:x:24:rhoddderz
floppy:x:25:rhoddderz
tape:x:26:
sudo:x:27:
audio:x:29:rhoddderz
dip:x:30:rhoddderz
www-data:x:33:
backup:x:34:
operator:x:37:
list:x:38:
irc:x:39:
src:x:40:
gnats:x:41:
shadow:x:42:
utmp:x:43:
video:x:44:rhoddderz
sasl:x:45:
plugdev:x:46:rhoddderz
staff:x:50:
games:x:60:
users:x:100:
nogroup:x:65534:
libuuid:x:101:
crontab:x:102:
Debian-exim:x:103:
mlocate:x:104:
ssh:x:105:
rhoddderz:x:1000:
messagebus:x:106:
utempter:x:107:
sambashare:x:108:
openldap:x:109:
winbindd_priv:x:110:
znc:x:1001:
nasmembers:x:1002:
one thing i notice straight away is it has successfully gotten nasmembers from the domain as well (this was the group i was going to use to define what users have access to the shares)
 
Old 03-28-2014, 12:49 PM   #6
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,945

Rep: Reputation: Disabled
getent doesn't list a single user or group from AD. "nasmembers" must be a local group.

Can you see the computer account object for RMMD-NAS-1 in AD? I suspect the trust relationship may have been broken, which would explain the error message:
Code:
ads_krb5_mk_req: smb_krb5_get_credentials failed for cifs/RMMD-NAS-1@RMMD.INT
(Matching credential not found)
cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Matching credential not found
You should consider resetting or deleting the account object and run net ads join again.

Edit: And if you do, consider deleting the idmap database and changing the idmap parameters so that they don't totally obliterate all your local accounts and groups.

Last edited by Ser Olmy; 03-28-2014 at 12:52 PM.
 
Old 03-28-2014, 12:55 PM   #7
Rhodderz
LQ Newbie
 
Registered: Nov 2013
Location: Plymouth, UK
Distribution: Debian
Posts: 15

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Ser Olmy View Post
getent doesn't list a single user or group from AD. "nasmembers" must be a local group.

Can you see the computer account object for RMMD-NAS-1 in AD? I suspect the trust relationship may have been broken, which would explain the error message:
Code:
ads_krb5_mk_req: smb_krb5_get_credentials failed for cifs/RMMD-NAS-1@RMMD.INT
(Matching credential not found)
cli_session_setup_kerberos: spnego_gen_krb5_negTokenInit failed: Matching credential not found
You should consider resetting or deleting the account object and run net ads join again.
NasMembers has only been created on the controller. RMMD-NAS-1 is in the AD. removing it and rejoining with "net ads join -U administrator" joins successfully with the response of
Code:
Using short domain name -- RMMD
Joined 'RMMD-NAS-1' to dns domain 'rmmd.int'
but still can not access the shares and "smbclient -L /RMMD-NAS-1 -k" still gives the same error. it did before give Logon_Denied but cant get it back to that state.
 
Old 03-28-2014, 01:03 PM   #8
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,945

Rep: Reputation: Disabled
The Kerberos error clearly says that a credential could not be found. Does the SPN even exist? I don't have a Windows server handy right now, but I believe setspn -L RMMD-NAS-1 should list SPNs associated with that computer account.
 
Old 03-28-2014, 01:12 PM   #9
Rhodderz
LQ Newbie
 
Registered: Nov 2013
Location: Plymouth, UK
Distribution: Debian
Posts: 15

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Ser Olmy View Post
The Kerberos error clearly says that a credential could not be found. Does the SPN even exist? I don't have a Windows server handy right now, but I believe setspn -L RMMD-NAS-1 should list SPNs associated with that computer account.
setspn -L RMMD-NAS-1 gives
Code:
Registered ServicePrincipalNames for CN=rmmd-nas-1,CN=Computers,DC=rmmd,DC=int:
            HOST/rmmd-nas-1.rmmd.int
            HOST/RMMD-NAS-1
so it seems to be there.
 
Old 03-28-2014, 01:25 PM   #10
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,945

Rep: Reputation: Disabled
OK. Actually, wbinfo should have failed if the account trust relationship wasn't working.

That leaves the issue of the non-functinal getent. The accounts and groups listed are definitely all local, including "nasusers". Domain accounts should appear in the format "DOMAIN[winbind_separator]account".

In almost all cases where getent fails to enumerate AD accounts even though wbinfo works, the idmap configuration is to blame (like in this case, which is just one of many that turn up if you do a Google search). Try changing the idmap settings to the proper syntax and delete the existing database.

Last edited by Ser Olmy; 03-28-2014 at 01:28 PM.
 
Old 03-28-2014, 01:59 PM   #11
Rhodderz
LQ Newbie
 
Registered: Nov 2013
Location: Plymouth, UK
Distribution: Debian
Posts: 15

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Ser Olmy View Post
OK. Actually, wbinfo should have failed if the account trust relationship wasn't working.

That leaves the issue of the non-functinal getent. The accounts and groups listed are definitely all local, including "nasusers". Domain accounts should appear in the format "DOMAIN[winbind_separator]account".

In almost all cases where getent fails to enumerate AD accounts even though wbinfo works, the idmap configuration is to blame (like in this case, which is just one of many that turn up if you do a Google search). Try changing the idmap settings to the proper syntax and delete the existing database.
Hi again,m sorry for being a pain, still slightly new to this sort of error (didnt have a problem when samba was the domain controller) i have changed my global to this:
Code:
[global]
        server string = Rhodderz NAS
        workgroup = RMMD
        netbios name = RMMD-NAS-1
        realm = RMMD.INT
        syslog = 3
        dns proxy = no
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        security = ADS
        encrypt passwords = yes
        winbind use default domain = yes
        winbind enum users = yes
        winbind enum groups = yes
        winbind separator = +
        idmap config * : backend = tdb
        idmap config * : range = 100001-200000
        idmap config RMMD.INT : backend = ad
        idmap config RMMD.INT : range = 100001-200000
        idmap config RMMD.INT : base_rid = 0
        template shell = /bin/bash
        ntlm auth = no
        client ntlmv2 auth = yes
        lanman auth = no
        log file = /var/log/samba/%m.log
restarted, blanked the cache/db and rejoined the domain but i still get the error. I know the error is staring me in the face but with my lack of experiance im not sure what it is. Getent still doesnt have any of the domain users or gourps either

Edit:
I rebooted after deleting the cache and let samba start naturally
Now smbclient -L /RMMD-NAS-1 -k gives me
"session setup failed: NT_STATUS_ACCESS_DENIED"

Last edited by Rhodderz; 03-28-2014 at 02:07 PM. Reason: Rebooted fully instead of restarting the service
 
Old 03-28-2014, 02:07 PM   #12
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,945

Rep: Reputation: Disabled
I see you've changed the idmap backend to "ad". That requires RFC 2307 extensions in the AD schema, and I don't think they exist by default. (Other than that, RFC 2307 provides a great way to store Unix-related information in directory services.)

Unless you actually have the RFC 2307 extensions in your AD schema, you should use the tdb or rid backends (the latter doesn't require a database at all).
 
Old 03-28-2014, 02:10 PM   #13
Rhodderz
LQ Newbie
 
Registered: Nov 2013
Location: Plymouth, UK
Distribution: Debian
Posts: 15

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Ser Olmy View Post
I see you've changed the idmap backend to "ad". That requires RFC 2307 extensions in the AD schema, and I don't think they exist by default. (Other than that, RFC 2307 provides a great way to store Unix-related information in directory services.)

Unless you actually have the RFC 2307 extensions in your AD schema, you should use the tdb or rid backends (the latter doesn't require a database at all).
Ah i did not knwo that, sorry my bad. I have changed it to tdb (and tried rid) but now i still get NT_STATUS_ACCESS_DENIED
 
Old 03-28-2014, 02:11 PM   #14
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,945

Rep: Reputation: Disabled
Does getent finally enumerate users and groups?
 
Old 03-28-2014, 02:21 PM   #15
Rhodderz
LQ Newbie
 
Registered: Nov 2013
Location: Plymouth, UK
Distribution: Debian
Posts: 15

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Ser Olmy View Post
Does getent finally enumerate users and groups?
unfortunatley it hasnt :/ and as soon as i rebooted it went back to the error which is a tad frustrating as i didnt change anything. tried rejoining the domain with the same downside. also if i do wbinfo -u or -g i get the appropriate response but when i do -i rhodderz i get
failed to call wbcGetpwnam: WBC_ERR_DOMAIN_NOT_FOUND
Could not get info for user rhodderz

If i change backend to ad and add the schemea_mode to rfc2307 (which apparenlty (dont take my word as i keep seeing this pop up on random forums) 2012+ uses this by default) i can then do wbinfo -i rhodderz and i get
rhodderz:*:101104:101121:Rhodri Metcalfe-Davies:/home/RMMD/rhodderz:/bin/bash
Thanks for helpin this far by the way.

EDIT:
i removed ads and put the backend back to tdb and i still get the infor as above when i do wbinfo -i rhodderz
and when i did smbclient -L /RMMD-NAS-1 -k i got
NT_STATUS_LOGON_FAILURE
this is after i kinit my admin account.

Last edited by Rhodderz; 03-28-2014 at 06:56 PM. Reason: New info
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Access Denied when connecting to centos VPS via SSH xezesis Linux - Server 4 04-18-2012 11:07 AM
Access denied when attempting access samba share warlockvix Linux - Software 1 05-11-2007 02:36 PM
Linux Client ADS-Authenticated User Can't Access Samba Shares lavie Linux - Software 1 09-12-2006 07:14 AM
Why Can't I Access Samba Shares Via As ADS User papaqube Linux - Software 1 05-09-2006 02:12 PM
Samba Access Denied Harriskaver Linux - Software 7 05-07-2006 01:43 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 01:14 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration